[PF] Symmetric routing enforcement, how-to without using "reply-to"...

[Nils Beyer]

On 04/07/2017 03:40, Takahiro Kurosawa wrote:
> What if you change the line:
> pass in inet proto tcp to port { ssh }
> to:
> pass in inet proto tcp to port { ssh } no state

close, but I had to use the "no state" on the "pass out" rules as well.
Now it looks like that:
-----------------------------------------------------------------------
scrub in all

set skip on lo0

pass in quick inet proto icmp from any to self no state
pass in quick inet proto tcp from any to self port { ssh } no state
block in quick log to self

pass out quick on $if_ext2 route-to ($if_ext1 $gw_ext1) from $if_ext1 to any
pass out quick on $if_ext2 route-to ($if_ext1 $gw_ext1) from $if_ext1 to any no state
pass out quick on $if_ext1 route-to ($if_ext2 $gw_ext2) from $if_ext2 to any
pass out quick on $if_ext1 route-to ($if_ext2 $gw_ext2) from $if_ext2 to any no state
pass out quick from self
-----------------------------------------------------------------------


> Without "no state", the incoming ssh packet generates a pf state entry,
> then the response packets are probably passed by the state instead of
> using "route-to" rules.

that makes absolute sense...



Regards,
Nils